Pages

Friday, January 31, 2014

As I noted
Tuesday Sen. Manchin (D,WV) introduced S 1961, the Chemical Safety and
Drinking Water Protection Act of 2014, in response to the recent Freedom
spill in Charleston, WV. This bill would amend various provisions of the Safe
Water Drinking Act (SWDA, 42
USC §300f et seq) to help prevent the re-occurrence of such an incident.
Among other things it would add a Part G—Protection of Surface Water from
Contamination by Chemical Storage Facilities to that Act.

State Programs

Most of the requirements of this bill would provide States
with new authority and responsibility in their enforcement of the Safe Water
Drinking Act. These provisions are extensions of current enforcement authority.
The States could decline to exercise this authority and then the enforcement
authority would revert back to the Administrator of the EPA. This is how the
Congress gets around the ‘unfunded State mandates’ dilemma; the States don’t
really have to do anything, they can just let the Federal government step in
and do it for them.

Covered Chemical Storage
Facility

The key to this new legislation is the addition of a new
term to the SWDA; covered chemical storage facility. The new §1471 would define
this term as “a facility at which a chemical is stored and the Administrator or
State, as applicable, determines that a release of the chemical from the
facility poses a risk of harm to a public water system” {§1471(1)(A)}.

This is a very broad term that allows the Administrator of
the EPA and State regulators a great deal of leeway in writing the applicable
regulations that would implement this legislation. There is nothing in this
language that would limit the scope of such regulations to bulk storage tanks
such as those that were involved in the Freedom spill.

In fact, there is nothing here that would stop the
regulators from including every privately owned facility, including individual
homes, from coverage because everyone stores chemicals. Realistically, there
would be no way to enforce such sweeping regulations and no agency is going to
try to write regulations that are that sweeping in scope, but it would be
allowed under this definition. The only restriction here is that a regulatory
determination of potential harm to a drinking water system would have to be
made.

Required Chemical
Facility Actions

Section 1472 would require the establishment of State
programs to protect drinking water from contamination by covered chemical storage
facilities. States and the EPA would have one year from enactment to establish
these programs. Those programs would be required to establish standards for
{§1472(b)(2)(A)}:

• Good design, construction, or
maintenance;

• Leak detection;

• Spill and overfill control;

• Inventory control;

• An emergency response and
communication plan;

• An employee training and safety
plan;

• An inspection of the integrity of
each covered chemical storage facility; and

• Lifecycle maintenance, including
corrosion protection;

While it would be hard to argue against any of those
requirements, especially in light of the recent Freedom spill, the devil is
always in the details. It would be helpful to the chemical industry if the EPA
were to issue appropriate guidelines and regulations for the States to enforce.
That way there would be a single, national standard for multi-state
organizations to deal with.

The programs would also have to provide that covered
chemical storage facilities would have to provide information to the EPA, state
SWDA authorities, and the local water treating facility about:

• The potential toxicity of the
stored chemicals to humans and the environment; and

• Safeguards or other precautions
that can be taken to detect, mitigate, or otherwise limit the adverse effects
of a release of the stored chemicals.

The lack of a definition for ‘potential toxicity’ is of more
than a little concern. While the Crude MCHM was relatively non-toxic, it did
have at least some measure of recognized toxicity. Would chemicals that did not
have any known toxicity testing have to be reported? Would chemicals with
extremely high dose rate toxicity have to be reported? There really should be a
standard that combined known toxicity levels and maximum possible spill amount
from a facility. High dose-rates for toxicity and small spill volumes add up to
be a non-issue.

Finally the State programs would be required to spell out
specific financial responsibility requirements (including proof of insurance,
bond, or other similar instrument) for covered chemical storage facilities.
This is very important because later in the bill (§ 1474) is the requirement that if costs are
incurred by the EPA or State for response actions because of a release of a
chemical from a covered chemical storage facility, the facility would be liable
to the Administrator or the State for those costs.

State Program Actions

The programs established under §1472 would also include specific state actions
in support of the program. Listed second {§1472(b)(2)(C)}, but certainly a
primary responsibility would be the requirement to maintain a comprehensive
inventory of the covered chemical storage facilities in the State.

This would have to include a precise physical location for
the facilities because the second requirement, a State inspection program for
those facilities, would have a frequency based upon the location of the
facility with respect to water treatment facility source water assessment areas
defined under 42
USC §300j-13. Facilities located within such source water assessment areas
would have to be inspected every three years. All others would be inspected
every five years.

This is going to require a fairly large staff of inspectors
to be able to maintain reasonable inspection quality while covering the number
of facilities involved. There is no mention of the golden phrase ‘inherently
governmental function’ with respect to these inspections (though it could
certainly be argued to be such), so it is possible that the States could
contract out for this or even require facilities to pay for such inspections by
licensed inspectors.

Information Sharing

Section 1476 would be added to the SWDA to cover the
necessary information sharing aspects of the State plans under this
legislation. It requires that whomever administers the Sate plans (EPA or
State) is responsible for sharing with public water systems information about
emergency response plans for all chemical storage facilities within the same
watershed as the public water system {§1476(a)(1)}
and an inventory of “each chemical held at the covered chemical storage
facilities” {§1476(a)(2)}.
Interestingly, there is no requirement in the State plan section for facilities
to provide that inventory to either the EPA or State.

Copies of the emergency response plans would also have to be
submitted to DHS and the EPA. Presumably the EPA copies would be sent to the
EPA drinking water folks. To whom such plans would be sent at the sprawling DHS
is not specified, but I suppose it would be FEMA.

To assuage concerns about the release of the above
information presenting a security issue, the plan administrators at the federal
or State level would be allowed to restrict the release of sensitive security
information. The bill does not include mention of which sensitive security
information program that would fall under. That could be very important because
each of the existing programs have significantly different sharing rules and
restrictions.

The provision does make clear, however, that there are
limits on that information sharing restriction authority. It does not apply to
public health information (not defined) {§1476(c)(2)(A)}
nor can it be used to prevent sharing with “the Administrator, the Secretary of
Homeland Security, a public water system, or a public agency involved in
emergency response” {§1476(c)(2)(A)}.

Emergency Powers

Section 2 of the bill goes on to expand the current
emergency powers of the EPA Administrator to take action under power of the
SWDA (42
U.S.C. 300i). After first adding the words “or a covered chemical storage
facility” after every mention of “public water system” in the appropriate
paragraphs of 42
U.S.C. 300g–3, section 2(b) adds a new paragraph to §300i that would allow owner-operators of public
water systems to either petition the EPA Administrator to take emergency
actions or for the owner-operator to bring civil actions against “any activity
or facility that may present an imminent and substantial endangerment to the
health of persons who are supplied by that public water system” {§300i(b)(1)(A)}.

Citizen Suits

Adding covered chemical storage facilities to coverage under
the SDWA makes them susceptible to citizen law suits for actions or failure to
take actions under provisions of the new §1472. The citizen law suit provisions
are covered under 42
USC 300j-8.

Moving Forward

The definitions of this bill are just too vague and the
requirements potentially so far reaching that there will not be a single
business organization that will be able to support the bill. This will almost
certainly mean that the bill will never make it to the floor of the Senate and
probably will never even be considered by the Senate Committee on the
Environment and Public Works.

Thursday, January 30, 2014

This afternoon the DHS ISC-CERT published to control system
security advisories. One was a Crain-Sistrunk DNP3 vulnerability on Televen
RTUs and the second was a NULL pointer dereference vulnerability in the 3S
CoDeSys Runtime Toolkit. Both were coordinated disclosures.

Schneider DNP3
Advisory

The DNP3 vulnerability was a standard improper input
validation vulnerability. According to the Robus web site, this is number 16 of
now 28 (they have recently updated the total number) coordinated disclosures
that Crain and Sistrunk have made based upon their proprietary fuzzer
technology; still 12 more DNP3 vendors to go.

This advisory
was originally posted on the CERT secure portal back on January 6th
and it was disclosed on the Schneider Electric web site on December 30th.
Schneider has produced a patch to mitigate the single vulnerability (based upon
the CVSS v2 score it is probably the serial version of the vulnerability).
There is no mention in the Advisory if Crain-Sistrunk were given a chance to
validate the patch.

According to ICS-CERT a relatively low skilled attacker
could remotely exploit this vulnerability to execute a denial of service
attack.

The internal Schneider version
of the advisory (.PDF Download) Schneider did more than just fix this vulnerability
in the firmware update. They note that:

This advisory identifies
a vulnerability reported by Nicholas Miles. 3S has developed an update that
corrects the vulnerability and Miles has reported that it effectively mitigates
the problem.

ICS-CERT report that a moderately skilled attacker could
remotely exploit this vulnerability to cause a system crash within the Runtime
Toolkit appliecation.

ICS-CERT provide a URL for the CoDeSys download
page, but I don’t actually see this update unless it is the SP3 Patch 9
that was released last week (1-24-14), but it sure doesn’t look like it from
the details provided.

Missed
Vulnerabilities

There have been a couple of TWITTER notices by Joel Langill
(@SCADAHacker) about ICS vulnerabilities
that have not yet been noticed by ICS-CERT:

Earlier this month the Congressional Research Service (CRS)
published their latest version of their report on the Chemical Facility
Anti-Terrorism Standards (CFATS) program. This periodic report by Dana Shea summarizes
the current state of the CFATS program, explains current problems facing the
program. Past reports included an analysis of various potential solutions for
CFATS problems that may require Congressional action, that is missing from this
version.

SSP Process

Given the on-going congressional concern about the progress
being made on the Site Security Plan (SSP) front Shea takes a detailed look at
that portion of the program. This discussion begins very good, concise summary
of the SSP regulatory process:

“Over time, the DHS has attempted
to develop a consistent nomenclature for its review and inspection process. The
DHS authorizes an SSP (issuing the facility a letter of authorization)
when the submitted SSP is satisfactory under CFATS. The DHS conducts an authorizationinspection of a facility with an authorized SSP to compare the
authorized SSP to the conditions of the facility. Following a successful
authorization inspection, the DHS approves the SSP (issuing the facility
a letter of approval). At a later date, expected to be one year after
approval of the SSP, the DHS will conduct a compliance inspection of a
facility to determine whether the facility has fully implemented its approved
SSP. Compliance inspections then occur on a periodic basis depending on the
risk tier to which the facility is assigned.” [Footnotes removed]

What is missed in this discussion is why such a complicated
SSP process is necessary. Since Congress declared in the CFATS authorization
that DHS may not specify what security measures are required for SSP approval,
DHS was forced to publish a rather vague Risk-Based
Performance Standards (RBPS) guidance document and facilities were left to
guess what security measures to put into their proposed SSP. Since security is
not a profit center, the apparent actual risk of a terrorist attack is low (no
attacks to present and no reports of credible threats against chemical
facilities), and security measures usually complicate day-to-day operations,
facilities want to establish just the minimum security measures required to
assure compliance with CFATS. As a result, there is a natural tendency to
under-guess what is required for compliance.

Further complicating the process is the fact that the
current SSP data submission tool in the on-line Chemical Security Assessment
Tool (CSAT) uses a question/response format that solicits a limited amount of specific
information about the proposed SSP and relies on the addition of narrative
submissions for the bulk of the details about the program. Facility security
managers have every incentive to limit the amount of information that they
provide since any changes to that information after the SSP is approved will
have to be vetted through DHS before it can be changed. Limiting the scope of
that DHS operational veto is in the best interest of the facility management.

The disjointed and frequently duplicative organization of
the information in the SSP tool further aggravates the approval process by
making it difficult for inspectors to preview the submitted data before they
conduct their authorization inspections. Since large chemical facilities are
already complicated physically and operationally, inspectors have to become
familiar with the unique operational aspects of the facility and become
familiar with the proposed SSP at the same time during the scope of a three day
inspection.

Digesting that inspection information and preparing a coherent
report on how well the facility complies with the RBPS is a time consuming
process. This is complicated by the fact that every chemical facility is unique
in its surroundings, operations, hazards and susceptibility to terrorist attack.
Further, the Chemical Security Inspector (CSI) needs to have an operational
understanding of chemical safety, physical security, operations security, and
cybersecurity to adequately understand all of the implications of the proposed
SSP.

Finally, the CSI workforce is limited to about 160 personnel
which include regional commanders who would be expected to spend only limited
amounts of time in actual inspection activities. Authorization inspections are typically
conducted by 3 to 5 inspectors depending on the size and location of the
facility.

Inspection Rate

Shea spends a great deal of time analyzing the rates of
authorization, inspection and approval and their inter-relationships. I would
assume that this was done at the request of various Committee Chair who are
legitimately concerned with the progression of that process. Looking strictly
at statistical data Shea has provided detailed information about the number of
actions that are necessary to complete the SSP process in a variety of time
frames. Table 1 below summarizes the Shea data for the average monthly rates
for achieving completion of the SSP authorizations and approvals for the facilities
currently the program.

Current

1 year

2 year

5 year

10 year

Authorizations

61

284

142

57

28

Approvals

28

327

164

65

33

Table 1: SSP Authorization and Approval Rates

As I have discussed in various posts (see the latest here)
about the monthly reports the Infrastructure Security Compliance Division
(ISCD) has been publishing on the SSP approval process, there are a lot of
things beyond the control of DHS that have caused significant month-to-month
variations in the approval rates. It is also not clear how the changes in types
of facilities being inspected (alluded to in the CRS report). One would think that
the process would be easier at smaller less complicated facilities, but as I recently
noted the lack of administrative resources at those facilities is also
going to impact the approval process.

It seems likely that DHS will be able to complete the
authorization process in somewhere between two and five years, particularly
since that portion of the process includes only limited CSI involvement. The
projection for the approval process is less sanguine. Shea notes that ISCD has
recently begun the process of compliance inspections which will cut into the
number of authorization inspections that the limited CSI force can conduct.
Also noted as a force time-consumer is the current regulatory requirement to
begin the reauthorization/re-approval process for Site Security Plans. That
should begin in very limited numbers this fall.

New Facilities

Further compounding this issue is a discrepancy between the
number of covered facilities and the number of facilities with a final tier
assignment. Facilities become regulated when they submit a Top Screen that DHS
decides provides presumption of being at high-risk. In the initial Top Screen
submissions in January of 2008 40,000+ facilities submitted Top Screens, but
only about 7,000 were notified by DHS that they were preliminarily determined
to be at high-risk and would have to enter the initial evaluation process of
the regulated chemical companies, the Security Vulnerability Assessment (SVA).

What is not clear in Shea’s discussion is the fact that not
all of those facilities submitting SVA will be confirmed as high risk and be
given a tier ranking assignment. It is only at that point that the facility joins
the cue of facilities in the SSP authorization/approval process. Of the
original 7,000 covered facilities only about 4,000 were required to submit
sight security plans, the remainder were dropped from the CFATS program because
the additional data submitted demonstrated that they were not at high-risk of
terrorist attack.

Shea appears to assume that all of the currently regulated
facilities will be required to submit SSPs that will require future action.
That is not supported by past history. Only about half of the currently
regulated facilities that do not have tier assignments would be expected to
have to submit SSPs.

Alternatives

What is disappointingly lacking in this version of the CRS
report is a look at potential alternatives. With a new CFATS authorization bill
currently in the works it would have been nice to see a look at possible
congressional actions that could address this process.

The simplest action (and the least likely) is for Congress
to increase the funding and authorized head count for CSI. Clearly the limited number
of CSI has got to be a factor slow rate of approvals. Whether or not it is the
only factor has yet to be seen. Shea acknowledges this, noting (pg 16):

“Increasing authorization inspection
capacity might serve to highlight other potential issues within the CFATS
process, such as delays in processing information from authorization
inspections and issuing letters of approval.”

Congress is unlikely to significantly change the number of
CSI. The CFATS program already has more full-time federal inspectors than does
the EPA’s RMP program or OSHA’s PSM program which address similar (yet a far
larger number) facilities. Federal employee costs are high and there appears to
be a general reluctance to pay that cost for enforcement personnel.

Last summer I
proposed another alternative to speed up the SSP authorization and approval
process; adjust the standards by which those actions are reviewed for Tier 3
and Tier 4 facilities. Since these facilities are lower risk, it would seem
reasonable that while the RBPS are lower the standards for review of the
submissions should also be less stringent. While this would not technically
need congressional approval it would certainly need congressional acquiescence.

Personnel Surety

There was one SSP issue that was completely ignored in the
Shea report, technically there have been no site security plan approvals; they
all have been conditional because facilities have not been able to fulfill all
of the standards for RBPS # 12 Personnel Surety. The reason for this is that
DHS has yet to establish a means for facilities to vet personnel given
unaccompanied access to critical areas of the facility against a list of known
or suspected terrorists. ISCD has been at work on this program with little
success for over four years now.

I understand that this will be addressed by CFATS
authorization legislation that will be introduced in the next couple of weeks.
It remains to be seen whether or not that bill would, if passed (more than iffy
in an election year), ease or compound the difficulties that DHS is having
getting a plan that is acceptable to industry and accomplishes the requirements
for personnel surety established in the current authorization.

In any case, some sort of
reauthorization/re-approval process will have to be implemented once a CFATS personnel
surety program is put into place by DHS. This should be able to be an almost completely administrative review, requiring little or no CSI involvement.

Today the Department of Agriculture’s Animal and Plant
Health Inspection Service (APHIS) published a notice in the Federal Register (79 FR
4867-4868) proposing to add another use of methyl bromide to their current Plant
Protection and Quarantine (PPQ) Treatment Manual under the immediate need
provisions of 7
CFR §305.3. This time it is for the treatment of kumquats for fruit fly
infestations.

The new treatment schedule, T101-n-3, has been added to the
PPQ subject to revision or removal based upon comments received per this
notice. Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # APHIS-2013-0095).
A copy of the Treatment Evaluation Document (TED) supporting this adoption may
be found in that docket.

STANDARD RANT

Once again the folly of excluding methyl bromide from the
list of DHS chemicals of interest (COI)
for the CFATS program based upon the putative ‘phasing out’ of the
chemical by EPA is exposed. While greatly reduced, the use of methyl bromide will
continue for the foreseeable future as it is an effective pesticide that is
readily adaptable to treatment of new pests.

Since this is a toxic inhalation hazard (TIH) chemical
(which is why it is such an effective pesticide) it should be included in the
CFATS list of COI that trigger reporting to DHS.

Wednesday, January 29, 2014

This morning the House accepted the revised language for HR
2642, the the
Federal Agriculture Reform and Risk Management Act of 2013, found in the Conference Report by a bipartisan
vote of 251 – 166. This was bipartisan in the modern term of the word; it
was a vote by the moderates of both parties that carried the day.

As I noted yesterday
the chemical safety and security measures in the original bill are there no
longer. The closest we got was some funding for some existing minor biosecurity
programs.

It will be interesting to see if the leadership in the
Senate can broker the same sort of bipartisan middle ground over the
bomb-throwers of both parties.

As I mentioned almost two weeks ago Sen. Schatz (D,HI)
introduced S 1951, a bill dealing with CERCLA liability costs. The bill would
extend the financial liability for the consequences of chemical spills under 42
USC 9607.

The bill makes two changes. First it expands the liability
provisions to include more than just the defined hazardous substances found in Table
1 to Appendix A in 49
CFR 172.101. It does this by adding the phrase “(or pollutant or
contaminant if the President takes any response measure under section 104(a) [42
USC §9604(a)] with respect to the pollutant or contaminant)” {§1(1)}after
every mention of ‘hazardous substance’ in 42
USC §9607(a). This mirrors the language in other CERCLA sections that
include coverage of pollutants and contaminants.

It then revises §9607(a)(4)(C) to limit the new liability
coverage to just owner and operators of facilities. It limits the current
CERCLA coverage of liability of others (including waste facility
owner/operators and transporters) to the current hazardous substance language.

The timing of this bill, coming just a week after the
Freedom spill, makes it look like it is targeted against that type of
situation. The Crude MCHM that was spilled into the Elk River would certainly
seem to fall under the pollutant category rather than the current hazardous substance
rule. The President’s emergency declaration in this particular case would not
seem to fit the ‘response measure under section 104(a)’ portion of the
pollutant coverage. That section provision could probably have been addressed
by adding a reference to that section in the disaster declaration.

I suspect, however, that this bill was already in the works
as Sen. Schatz does not represent the affected area (the one co-sponser, Sen.
Rockefeller (D,WV), does however) and neither Schatz or Rockefeller made a
floor speech about the introduction of the bill. The if the bill would have
been specifically targeted at this type of spill, they missed a great press
moment by not giving such a speech.

Unless there is some major objection to this bill by the
chemical industry (and I don’t really see that happening) this bill could
probably pass in the Senate in one of those unanimous consent procedures that
relatively minor legislation is addressed by that body. It would be more
appropriate, however, if this language were added to EPA authorization
legislation.

I have signed up to receive emails from the EO 13650 Working
Group about the actions that the group is taking in support of the President’s
Executive Order on Improving Chemical Safety and Security (EO
13650). This has mainly allowed me to get advance notice of various
meetings, public listening sessions and webinars on EO 13650. I received one
such email notice yesterday about a slightly different webinar, one
specifically targeted to residents in New York and New Jersey.

To date these webinars and public listening sessions have
been focused on receiving public input on chemical safety and security issues.
The ones that I have listened to have been essentially opportunities for
various industry and activist organizations to rehash their well established
points of view about matters of chemical safety and security. This has been a
worthwhile exercise as it has allowed representatives from EPA, OSHA and DHS
chances to publicly ask questions to clarify their understanding of these
various positions.

This webinar, to be held on February 2nd (more
about sign-up details below) will apparently have a slightly different focus.
According to the email it is designed to help people who want “to prepare for
the in-person listening session in Newark, NJ on February 5th in
order to provide comments and feedback on the Executive Order to help improve
the safety and security of chemical facilities”.

The webinar is being hosted by the EPA’s Technical Assistance
Services for Communities (TASC), and EPA community outreach organization.
It is specifically focused at “Community members and grass roots organizations,
including first responders, in the New York/New Jersey area, interested in
improving the safety and security of chemical facilities”.

I have signed up for this webinar (though I am certainly not
a resident of the NY/NJ area) because of its intent to “provide additional
information about the New York and New Jersey areas”. I’m hoping that will
include information about the pilot project on interagency cooperation that is
being headed by the EPA in Region 2 (The Effective Chemical Risk Management
Project, Federal Region 2). There has been very little public information about
this project and I’m hoping that it will be discussed in this venue.

The email provides a link for signing up for the webinar - https://epa.connectsolutions.com/eo13650nj021314/event/event_info.html.
It is a relatively easy sign-up process with a minimum of personal information
required. Interestingly I don’t see any information about an OMB approved
information collection request for the information being requested. I also have
a very low level of concern about the information I provided being shared with Skeo Solutions, the private-sector organization
that will apparently be conducting the webinar for TASC.

Tuesday, January 28, 2014

Yesterday there were 21 bills introduced in the House and
Senate. One of those will be of specific interest to readers of this blog:

S 1961Latest Title: A bill to
protect surface water from contamination by chemical storage facilities, and
for other purposes. Sponsor: Sen
Manchin, Joe, III (D,WV)

I wrote
about this bill over a week ago after the initial
press release from Sen. Manchin, but we will still have to wait for the
bill to be published to see how it attempts to achieve its objectives. There is
frequently a disconnect between what those press releases say and what the bill
actually attempts to do.

NOTE: Rumors continue to abound about Rep. McCaul’s (R,TX)
CFATS authorization bill, but it has not yet been introduced. I suspect that it
is being further refined.

The Conference
Committee Report on HR 2642, the Federal Agriculture Reform and Risk
Management Act of 2013, was submitted this evening and considered in the
House Rules Committee. The rule for the consideration of HR 7 includes
provisions for the consideration of the HR 2642 Conference Report.

The chemical safety and security provisions that were
included in the version that the House originally passed last July were not
included in the Senate version of the bill and did not make it back into the Conference
Report version. The closest thing to chemical security provisions were found in
Title VII, Subtitle E, Part 1 – Agricultural Security. Those provisions were
funding for various biosecurity programs; including:

• Research and development of agricultural countermeasures, 7 USC
8921(b) {§7503}; and

• Agricultural Biosecurity Grant Program, 7 USC 8922(e) {§7504}

H
Res 465 provides for the consideration of both HR 7, an anti-abortion bill,
and HR 2642. Section 2 of that resolution provides for an hour of debate, no amendments, and a vote on
the amended bill. There have been enough deal making made that there should be
enough bipartisan support for the bill to allow it to pass over the objections
of conservatives who will object that the bill does not cut spending near
enough.

Because of the State of the Union Address this evening
and the shortened session in the House to prepare the Chamber for the Address,
it is unlikely that HR 2642 will get voted on today (Tuesday); Wednesday is much more
likely.

Monday, January 27, 2014

Both the House and Senate will be in session this week and
the big news will, of course, be the President’s State of the Union (SOTU)
Address. With this on the agenda there is a relatively light hearing schedule in
both houses of Congress. There is only one this week that may (and this may be
a stretch) be of specific interest to readers of this blog, a House hearing on
TSA criminal investigators. There may be an authorization bill finally wending
its way to a final vote this week as well.

TSA Criminal
Investigators

On Tuesday the Transportation Security Subcommittee of the
House Homeland Security Committee will be holding a
hearing “Examining TSA's Cadre of Criminal Investigators”. Since these
investigators also handle surface transportation investigation there may be
some mention of chemical transportation security measures, but I’m not going to
hold my breath.

All of the witnesses for this hearing are from DHS,
including a representative of the DHS IG’s office. I am kind of surprised not
to see someone from either the GAO or the TSA employees union.

HR 2642 Conference
Report

The agriculture authorization bill is one of those big deals
that needs to be passed every year. Here we are just over a quarter of the way
through the fiscal year and, according to the Majority
Leader’s web site, we may be getting a conference report this week.

The original version of the bill introduced in the House
included some chemical
safety and security measures, but they were
removed in the Senate version. It will be interesting to see if any make it
back into the Conference version of the bill.

SOTU

I expect that the President’s annual speech tomorrow will
include at least some mention of chemical safety and security measures,
especially after the high profile train wrecks and the recent spill in West
Virginia. I don’t really expect anything new on this front other than perhaps a
plug for actions being taken (VERY SLOWLY) under his Improving Chemical Safety
and Security EO.

Early last week the Canadian Transportation Safety Board
(TSB) and the US National Transportation Safety Board (NTSB) made a coordinated
series of recommendations based upon the preliminary investigation results
from the Lac-Mégantic crude oil train wreck and initial investigation results
from the Casselton, ND crude unit train wreck.

The twin recommendation documents published on the January
21st outline what is currently known about the two accidents and
additional related rail incidents that occurred with trains transporting
ethanol. In addition they provide supporting details for the six recommendations
that will be discussed below.

NOTE: It is interesting that the NTSB has expanded this
discussion to include the bulk shipment of ethanol in unit trains. Given that
there are more car loads of ethanol being shipped than crude oil, and given
that they are using the same types of cars over the same tracks, it might be
interesting for someone to look into why there has been a rash of crude oil
train wrecks, but not similar rash of ethanol unit train wrecks. Could it be
related to the fact that crude oil is not a ‘clean fuel’ and may thus be preferentially
targeted by environmental extremists?

Route Planning

Two of the six recommendations (R-14-1 and R-14-4) are
virtually identical in that they recommend that the two agencies work together
to:

“Expand hazardous materials route
planning and selection requirements for railroads under Title 49 Code of
Federal Regulations 172.820
[Link Added] to include key trains transporting flammable liquids as defined by
the Association of American Railroads Circular No. OT-55-N and, where
technically feasible, require rerouting to avoid transportation of such
hazardous materials through populated and other sensitive areas.”

The current route planning and selection requirements are
limited to bulk rail shipments of explosives, toxic inhalation hazard (TIH) chemicals,
and radioactive materials {§172.820(a)}.
There has been no indication that the complicated rules for route evaluation
(requiring evaluation of 26 separate and un-weighted factors Appendix
D to Part 172) has done anything to reduce the number of shipments of
the covered chemicals through major metropolitan areas which was arguably the
intent of the regulators.

The current §172.820
regulations do not require the re-routing of the covered material ‘to avoid transportation
of such hazardous materials through populated and other sensitive areas’. It
requires a vaguer standard of:

“Using this process, the carrier
must at least annually review and select the practicable route posing the least
overall safety and security risk.” {§172.820(e)}

Enforcement of these route selection decisions is more than
a little vague. There is no requirement to submit the analysis documents to
either the FRA or PHMSA (or TSA for security issues) for approval. They must be
made available to inspectors from DOT or DHS. Finally the DOT may only require
a change in route selection in concert with the TSA and only after the Surface
Transportation Board determines that the alternative route is “economically
practicable” {§172.820(j)}.
Because of the lack of a measurable standard for the “most secure practicable
route available”, it is unlikely that any such order would stand up in court.

Spill Response Plans

There are nearly twin recommendations (R-14-2 and R-14-5) to
the two agencies dealing with spill response plans. The primary responsibility for
these plans is given to PHMSA:

Section 130.31
sets for the current requirements for spill response plans. While there are a
number of administrative requirements, the key action item is found at §130.31(b)(4):

“Identifies, and ensures by
contract or other means the availability of, private personnel (including
address and phone number), and the equipment necessary to remove, to the
maximum extent practicable, a worst case discharge (including a discharge
resulting from fire or explosion) and to mitigate or prevent a substantial
threat of such a discharge;”

The concern of the NTSB being addressed by the
recommendation to revise the planning thresholds is that the current language
in §130.31(a)(2) limits the
requirements for the spill response plan to just a spill from a single
packaging. The accident record in the last year surely indicates that more than
a single railcar (the packaging in this instance) will be involved in the spill
and subsequent fire.

The NTSB is concerned that the current language allows for
inadequate funding support for the spill response in the types of accidents
with crude oil and ethanol unit trains that we have been seeing. The adequate spill
response for a single car spill may be totally inadequate for a a multiple rail
car discharge.

The FRA counterpart to this recommendation addresses the
need to audit the plans to “ensure that adequate provisions are in place to
respond to and remove a worst-case discharge to the maximum extent practicable
and to mitigate or prevent a substantial threat of a worst-case discharge.
(R-14-2)” Since there are no provisions in Part 130 requiring the submission of
spill response plans or the approval of emergency response plans, there is
currently no good method of determining if the plans currently in place (even
given their single packaging scope) are adequate to the task at hand.

One other significant shortcoming in the current spill
response plan requirements is that there is no requirement in the plan in how
to deal with fires and explosions subsequent to a spill. The only real response
requirement is listed in §130.31(b)(3)
which describes authority to “implement removal actions”. It might be
worthwhile considering the addition of fire suppression planning for unit
trains carrying flammables.

Crude Hazard
Classification

The last two recommendations address the issue of proper
classification of crude oil hazards. Again PHMSA is given the task of
establishing the requirement and standards while FRA is given the
responsibility for auditing the performance of rail shippers.

The Hazardous Material Regulations (HMR) already require a
shipper to properly classify and describe hazardous materials {§173.22(a)(1)}
and §173.120
provides the definition of flammable liquids (Class 3) and §173.121
provides the testing criteria for the assignment of packing groups within that
class.

While PHMSA is continuing its testing of samples of the
Bakken Crude to determine if any additional testing requirements might apply,
the NTSB discussion of the classification of the crude in the Casselton
incident (pg 11 of the PHMSA recommendation letter) indicates that the initial
shippers to the rail transloading facility had properly classified the material
as Packing Group II while the shipping papers for the train cars incorrectly
identified it as the less hazardous Packing Group III.

It is not clear how the NTSB intends for the FRA to audit
the proper classification of crude oil shipments. The only real way to conduct
such audits would be to pull samples from random railcars and send them to an
outside lab for testing. Currently the only authority for opening hazmat packages
in transit is found in §109.5,
but it only allow for opening of a
packaging component “that is not immediately adjacent to the hazardous
materials contained in the package”. In other words samples may not be taken.

The one exception
to this is that when a DOT agent “agent has an objectively reasonable and
articulable belief that the packages may pose an imminent hazard” {§190.7}
the packaging may be transported to a facility for testing. This is clearly not
intended to be used for audit purposes.

Safety and Security
Plans

While not included in the formal numbered recommendations made
by the NTSB, there is a lengthy discussion (pgs 10-11) in the documents
relating to the requirements for the preparation of transportation safety and
security plans for Class 3 materials classified in Packing Group I or II {§172.800(6)}.
The NTSB concludes that discussion by recommending “that the FRA audit shippers
and rail carriers of crude oil to ensure they are using appropriate hazardous
materials shipping classifications, have developed transportation safety and
security plans, and have made adequate provision for safety and security” (pg
11).

The current requirements for the security plan are more than
a little vague and provide no measure to determine the adequacy of those plans.
Section 172.802(a)
provides a rather generic description of the components that will be included
in the security plans; including:

• Personnel security (surety);

• Unauthorized access;

• Enroute security;

Since there are no real descriptions of what these
components will include (for example there is no requirement for vetting
personnel against a terrorist screening list or even a criminal background
check) there is no way that such plans could be determined to be inadequate
from a actionable regulatory point of view. Without being able to compel a
shipper or railroad to achieve some measurable level of security, there is no
practical need for an audit of such plans.

Now, if the NTSB had recommended that the provisions of Subpart
B of the TSA Rail Transportation Security Regulations pertaining to rail
security sensitive materials (again explosives, TIH chemicals, and radioactive
materials similar to those requiring route planning) were made to apply to unit
trains of crude oil or ethanol, then there would be some actual security
planning and execution efforts to audit.

Moving Forward

The NTSB does not have any regulatory authority to compel the
FRA or PHMSA to comply with their recommendations. Neither agency has a real
good track record for timely adoption of NTSB recommendations. That combined
with the industry’s almost legendary resistance to change and a well understood
proclivity to use the courts to resist changes ensure that none of the
recommendations will move forward quickly, if at all.

Sunday, January 26, 2014

I’m hearing interesting rumblings from those in the CFATS
field that as more and more small chemical facilities are getting visited by
DHS Chemical Security Inspectors (CSI, oh that hurts; maybe CBS should sue for
copyright infringement) a new ‘security issue’ is being found with increasing
regularity. While these facilities appear to be doing a yeoman’s job at
actually securing the chemicals on site, they are having problems documenting
their security procedures.

The Problem

As DHS moves into the site security plan authorization and
approval process in the Tier 3 and Tier 4 facilities, they are encountering a
large number of small facilities, frequently with less than 10 employees on
site and no corporate EHS&S support. The Security Manager at these types of
facilities is frequently the same person that handles all of the other
regulatory compliance issues for the facility along with another full time job
related to chemical production or distribution.

This routinely means that while security measures might be
employed, there is little time for preparing all of the documentation that goes
into supporting a real security plan. There are dozens of written procedures
and processes that the CSI need to be able to see when they arrive on site to
verify that the facility understands its security program and is properly
implementing all of the necessary support requirements that are part and parcel
of the physical security investments that have been made.

For example, there might be a bright new 10 foot security
fence with razor wire topper and an automated gate that opens only to employee
ID cards, but there needs to be a document that describes the processes that
support that fence. That barrier plan document would include a description of:

• Who/what the fence was designed
to keep out;

• How the fence is kept under
observation to ensure that no one cuts or climbs over it;

• How often the fence is inspected
for physical integrity;

• Who is responsible for ensuring
that defects are repaired;

• What is done while a defect is
awaiting repair to compensate for the deficiency;

• How the employee ID cards are
issued and controlled;

• Etc.

Each and every security measure that a facility employs
needs this sort of documentation that can be shown to a visiting inspector
(along with supporting records that show that required periodic actions are
being taken). Without that documentation, the DHS cannot really tell if a
facility is really properly secured.

CSAT Tool Lacking

It looks like the original intent of the developers of the
Chemical Security Assessment Tool (CSAT) was to provide an on-line data entry
tool that would allow much of this type of documentation to be bypassed, making
the job of security managers much less complicated. Unfortunately, by the time
DHS got around to implementing the Site Security Plan (SSP) portion of the tool
it became painfully obvious that there was not enough time, money or support
available to prepare an SSP tool that could do more than ask some general
questions about a very complicated series of security topics.

I understand that suggestions have been made that DHS
Infrastructure Security Compliance Division (ISCD, the folks that run the CFATS
program) provide an on-line series of templates for the various supporting
plans and documents that may be needed by a facility to support their SSP. For
some fairly obvious reasons, that has not been done.

First off, ISCD is already stretched pretty thin doing what
it is already required to do; authorize, approve and inspect 3000+ site
security plans. We can argue whether or not they should have developed such
templates as part of the original SSP tool development process, but that is
water under the bridge and the current management team was not in charge of
that process. At this point in time they don’t have the time, money or
personnel to accomplish that type of template development.

I am hearing rumors that a variety of facilities that have
already been authorized and approved have offered to allow some of the
documents that they have produced to be used as templates (after filing off the
appropriate nameplates and serial numbers, of course). This is quite heartening
and a positive sign of how well the industry accepts their general responsibility
for chemical security in general.

Unfortunately, the §550 bugaboo once again rears its ugly
head; “the Secretary may not disapprove a site security plan submitted under
this section based on the presence or absence of a particular security measure”.
ISCD has, from its very inception taken this congressional restriction very
seriously (too seriously in my opinion, but then again, I don’t have to go back
to Congress every year of reauthorization either). One just has to look at the
repeated weasel wording in the Risk-Based
Performance Standards guidance document to see how seriously the Department
takes this requirement.

There is no way that ISCD is going to provide templates for
SSP support documents for fear of running afoul of this restriction.
Additionally, the Department lawyers would vociferously argue against providing
such templates for fear having to defend ISCD against legal complaints when
facilities that used such templates were found wanting in their SSP plan
implementation. Templates would have to be generally enough written that a lot would
still depend on how the various blanks were filled in. Besides, chemical
facilities covered under CFATS are so diverse that it is unlikely that a single
template, no matter how generally written, would cover all situations.

Industry Support

It looks like Congress, reading the full language of the §550
authorization, actually thought that there would be a viable solution to this
issue. We can see this in the language related to alternative security plans
(ASP). They thought that the various areas of the chemical industry would come
up with generic security programs tailored to the specific requirements and
security issues facing that industry segment.

Unfortunately, to date only one ASP has been developed that
is in wide spread use and that is the one that was introduced just over a year
ago by the American Chemistry Council (ACC). The ACC’s
ASP is much closer to being an actual site security plan template than is
the SSP tool in CSAT. It is still, however, falls short of the actual policies
and procedure documents that need to be in place at all CFATS covered
facilities. And there is a good reason for this; the ASP document once
submitted and authorized/approved by DHS cannot be changed without approval of
DHS.

Policies and procedures supporting the ASP need to be living
documents that can be changed and modified to fit changing circumstances. As
long as those changes don’t materially modify the processes approved by DHS
there should be no need to burden the ISCD folks with a change approval
request. So the data submitted to the DHS in the ASP needs to cover much of the
same information as would found in the policy and procedure documents, but not
in quite so much detail. (NOTE: Finding the acceptable limits of that detail is
what is taking so much time in the SSP authorization and approval process.)

In any case, it would be helpful if the various chemical
industry support groups would help the smaller companies in their organizations
by developing template documents for many of the security policies and
procedures that facilities would have to have in place to support their SSP.

ASP Approvals

While I am on the topic of ASPs, I heard a very interesting
comment from the field the other day about why DHS is not pushing the ACC ASP.
Now Director Wulf has made an official
statement in support of the use of the ACC ASP, but there is nothing on the
DHS CFATS web sites specifically mentioning the ACC ASP, and there is certainly
no link to the ASP on the DHS sites. Some are questioning this lack of support.

The comment I heard this week is that the reason for this
lack of support is that the cost of the design and maintenance of the current
CSAT tool would be hard to justify if there were wide spread adoption of the
ACC ASP. While I would not be surprised to hear that there were individuals
associated with the CSAT development that might have their feeling hurt to hear
that their SSP tool was less than adequate (AND IT CERTAINLY IS THAT), I do not
think that is why the current management team at ISCD has not made their
support for the ACC ASP more widely known.

First off, any federal bureaucrat has to be very careful
about how they endorse a commercial product. While the ACC ASP is certainly
free-of-charge for use the ACC and its affiliated companies are commercial enterprises,
so Director Wulf has to be careful in that respect. Also, as other ASPs
hopefully come into use failure to publicly recognize and support those with
the same alacrity that they supported the ACC ASP could lead them into
political problems, so a measured approval is probably politically prudent.

There should be, however, a link on the SSP homepage to any
and all ASPs that have been approved by DHS. If there is only one such link
because only one such program has been approved by ISCD, then so be it. This
should serve as an incentive for other organizations to develop their own
industry specific templates.

Saturday, January 25, 2014

Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that it had approved the EPA’s notice of proposed rulemaking (NPRM) for the
2014 Critical Use Exemptions to the phase out of the use of methyl bromide
under the Montreal Protocol for the Protection of Atmospheric Ozone. This
annual rule making exercise is proceeding slower and slower; this approval
comes one month later than did the 2013 OMB approval.

The OIRA notice states that the NPRM was approved ‘consistent
with change’. Presumably this means that they are requiring EPA to make some
relatively minor changes to the draft NPRM that had been submitted for
approval. This means that we probably won’t see publication of the NPRM until
the first week in February.

As
I noted last May when EPA submitted the final rule for the 2013 Critical
Use Exemption, because of this delayed rulemaking process EPA must provide
extralegal assurances that it will not take actions against producers, dealers
and users of methyl bromide for the production, importation or use of methyl
bromide this year while the rulemaking process proceeds.

According to the 2014 CUE web page, the NPRM should be
authorizing the use of methyl bromide for the following uses; Commodities
(740 kg), Food
Facilities (22,800 kg), Ham (3,730
kg), and Strawberries
(415,067 kg). No mention is made of the various emergency use approvals that
EPA and the Department of Agriculture (eg: Cotton
Seed and Blueberries)
have approved since the 2014 CUE list was submitted to the UN for approval in
January of 212.

Standard Rant Warning

As always, I will take this opportunity again to argue that
the removal of methyl bromide, a toxic inhalation hazard chemical, from the
final Appendix A, 6 CFR Part 27 list of DHS chemical of interest because methyl
bromide use was being phased out was ill-advised and contrary to the
congressional intent to have DHS regulate dangerous chemicals that could be
used by terrorists in a weapons of mass destruction attack within the United
States. Methyl bromide should be added back to the COI list post-haste.

Friday, January 24, 2014

I had an interesting theoretical CFATS question thrown at me
this week by a reader, a question that for fairly obvious reasons was not going
to be offered to the folks at the DHS Infrastructure Security Compliance
Division (ISCD), the people who administer the CFATS program. As I have to
periodically remind people, I am not a lawyer, so I cannot offer legal advice
and I certainly don’t work for ISCD, so my regulatory advice is somewhat
suspect. Having said that; I always like looking at odd things from different
perspectives. So let’s look at this question.

The Situation

A facility routinely uses aqueous ammonia and receives the
material in bulk in quantities in excess of 20,000 lbs. The concentration of
the aqueous ammonia ordered and used in the facility is 19%. This puts the
product outside of the description for ammonia found in Appendix
A, 6 CFR Part 27 since that document describes the DHS Chemical of Interest
as “Ammonia (conc. 20% or greater)”. So the facility has no responsibility for
reporting their use of aqueous ammonia to ISCD even though the amount of the
material on-hand routinely exceeds that screening threshold quantity (STQ) for
the defined ammonia (20,000 lbs).

A mistake on the vendor’s part results in a load of 28.4%
ammonia being sent to the facility to fulfill an order for 19% ammonia. The
paperwork accompanying the shipment (including both the bill-of-lading and the
certificate of analysis) indicates that the material received is 19% ammonia as
requested, so it is accepted and unloaded by the facility. Subsequent use of
the material indicates that it is more concentrated than it should be and
subsequent on-site testing confirms that a mistake has been made.

The vendor acknowledges the mistake, apologizes
vociferously, and expeditiously removes the unused portion of the material from
the facility and makes a complete refund for the full amount delivered
(including the portion consumed).

The question is, does the facility have to report the 40,000
lbs of 28.4% ammonia received to DHS ISCD on a Top Screen submission?

“A facility must complete and
submit a Top-Screen in accordance with the schedule provided in § 27.210, the calculation
provisions in § 27.203, and the minimum concentration provisions in § 27.204 if it
possesses [emphasis added] any of the chemicals listed in appendix A to
this part at or above the STQ for any applicable Security Issue.”

The 40,000 lbs of 28.4% ammonia delivered to the facility is
clearly a chemical listed in Appendix A above the STQ. This means that compliance
with the CFATS regulations requires that the facility register with CFATS for
the purpose of establishing a Chemical Security Assessment Tool (CSAT) account
so that a Top Screen can be submitted within 60 days of the time that the 28.4%
ammonia was delivered to the facility.

On the Other Hand

The offending ammonia was removed from the site before there
would have even been a chance for DHS to provide log-in credentials for the
facility personnel to begin to work on the Top Screen submission. The toxic gas
release hazard was gone with the off-spec ammonia. There was no intent by the
facility to purchase, obtain or use ammonia in any concentration higher than
19%.

While the Top Screen submission is relatively un-intrusive as
chemical regulations go, it does take time and administrative efforts to
complete the registration and Top Screen submission process. For a facility to
have to make even those relatively minor efforts for a mistake made and
corrected by someone else, does not seem to make a lot of sense.

The purpose of the CFATS regulations is to ensure that
chemical facilities that make, store or use chemicals that could be used by
terrorists in effecting a chemical attack, either by causing a hazardous
release of toxic, flammable or toxic chemicals or by using stolen or diverted
chemicals to make improvised chemical weapons or explosives that would be used
in a subsequent attack. In this particular case, that purpose would not be
served by requiring the facility to complete the registration/Top Screen
processes for chemicals that are no longer and never again should be on hand at
the facility.

Letter or Intent of
the Rule

This comes down to the old dilemma, which is more important,
the letter of the law or the intent of the law. I personally tend to come down
on the side of the spirit of the law. While the law should be blind and
impartial so that it treats everyone the same, it also must be practical. Blind
adherence to the letter of the law is frequently discriminatory in application.
A small company being required to meet the §27.200
requirements in this case would be more burdened by that requirement than a large
company in the same situation.

Since the purpose of the regulation in this case would not
be measurably served by a strict adherence to the letter of the law, the
application of the burden would be discriminatory against the small company and
(again in my opinion) should be avoided.

Yesterday the DHS ICS-CERT published an advisory
for twin path traversal vulnerabilities reported in the GE Proficy CIMPLICITY
application by amisto0x07 and Z0mb1E. The disclosure was coordinated through
the Zero Day Initiative (ZDI). A patch has been developed by GE for one of the
vulnerabilities and a configuration change has been suggested for the other.
There is no indication that the researchers have validated the efficacy of
these mitigation measures.

ICS-CERT notes that a moderately skilled attacker could
remotely exploit either of these vulnerabilities to execute arbitrary code on
the system.

GE has published two advisories (GEIP13-05
and GEIP13-06)
that discuss the vulnerabilities in more detail and explain the mitigation
measures.

GEIP13-05 – No Patch

This GE Advisory notes that the vulnerability is due to a
single component (gefebt.exe) and recommends that ‘all copies’ of the file be
deleted. The advisory provides information about where copies of the file
should be found in the server directories and on the server web pages.

The advisory notes that making these changes will disable
links on the default home page on the CIMPLICITY system that allow users to “to
browse CIMPLICITY projects and view alarms, points, screens and objects”. To
regain this functionality, the default home pages will have to be re-created
using the “Create Webpage” option.

This could be a very complex remediation.

GEIP13-06 – Patch
Available

The second advisory provides a link for a patch to
CIMPLICITY version 8.2. It notes that users of versions earlier than 8.2 should
upgrade to version 8.2. Interestingly, versions 4.0 and earlier are not
affected by either of these vulnerabilities.

GE provides two other mitigation options as alternatives to
updating or applying the patch to version 8.2. If web –based HMI functionality
is not need, they provide the option of disabling that functionality. If that
functionality is required there is the option of using an alternative web
server, IIS web server instead of the vulnerable CimWebServer.exe.

Delayed ICS-CERT
Notification

Joel Langill notes that
OSVDB has been reporting this vulnerability since the middle of December. The
GE advisories are also dated from the same point in time and both note that
public disclosure of the vulnerabilities was expected by December 31st.

There is no explanation in the ICS-CERT advisory as to why
it has taken them so long to report this vulnerability. These delays are
becoming increasingly common with ICS-CERT advisories. More importantly it is
becoming more common for ICS-CERT to ignore or miss reports of ICS
vulnerabilities all together. Perhaps it is time for Congress to exercise their
oversight responsibility and look into the operations of ICS-CERT.

Thursday, January 23, 2014

Today the Chemical Safety Board published a notice in the
Federal Register (79 FR 3777-3778)
changing the purpose of the meeting that they had originally advertised as a
meeting to review and approve the staff report on the 2010 fire and explosion
at the Anacortes, WA Tesoro Refinery.

A meeting
notice published last month indicated that the CSB Staff would present
their draft report at a public meeting on January 30th and after
allowing for public comments on the draft, the CSB would publicly consider
approving the report.

While the draft staff report has not yet been made publicly
available, it was expected to include a ‘safety case’ regulatory scheme for
refineries similar to the one that was discussed last week in Richmond, CA for the Chevron Refinery
accident investigation. However, since that staff report was
not accepted (yet not rejected either) when two Board Members requested
more staff work on investigating some of the negative public comments received
on the new regulatory scheme proposal, the Board is not going to attempt to
review and vote on accepting the Staff Report on the Tesoro Refinery accident
at the scheduled January 30th meeting.

Instead the Staff will make a public presentation of their draft
report and listen to public comments on that presentation. The Draft report
will then be posted to the CSB web site and the CSB will accept comments on the
proposal for 45 days. After that time they will reschedule a public meeting to review and vote on accepting the Staffs
recommendations.

To see the comments that the CSB received on the safety case
issue, click
here. To see the CSB responses to those comments, click
here.

About Me

Patrick Coyle is a freelance writer dealing with chemical security and safety issues. He has 15 years experience in the US Army with extensive experience in training development, delivery and evaluation. He spent 20 years working in the chemical process industry developing and improving chemical manufacturing processes with a large emphasis on chemical and process safety. He currently writes a daily blog, the Chemical Facility Security News, examining the issues associated with the Chemical Facility Anti-Terrorism Standards administered by the Department of Homeland Security.